3.
Motivation
• It is hard for application developers to choose
between existing password meters reasonably.
• Worse, some implement their own [or
customize existing] without understanding of
security and psychological implications.
• Need some framework/criteria that would
help reasonable choice.
3

29.
Conclusions
•
•
•
•
Test your security tools for security
Avoid write your own security tools
All tested meters protect from online attacks
Also seem protect from offline attacks
(for slow hashes and unique salts)
• But most tend to deny more passwords than it
is necessary, including known to be hard ones
• Passwdqc and zxcvbn look best